Index: www/h2o/Makefile =================================================================== --- www/h2o/Makefile +++ www/h2o/Makefile @@ -1,15 +1,16 @@ -# Created by: Dave Cottlehuber +# Created by: Dave Cottlehuber # $FreeBSD$ PORTNAME= h2o DISTVERSIONPREFIX= v -DISTVERSION= 2.2.3 +DISTVERSION= 2.2.4 CATEGORIES= www -MAINTAINER= dch@skunkwerks.at +MAINTAINER= dch@FreeBSD.org COMMENT= Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x -LICENSE= MIT +LICENSE= MIT BSD2CLAUSE +LICENSE_COMB= multi BROKEN_armv6= fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported BROKEN_armv7= fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported @@ -23,7 +24,7 @@ PORTDOCS= README.md -SUB_FILES= ${PORTNAME} +SUB_FILES= ${PORTNAME} ${PORTNAME}.conf.sample SUB_LIST+= H2O_USER=${H2O_USER} \ H2O_GROUP=${H2O_GROUP} \ H2O_LOGDIR=${H2O_LOGDIR} @@ -55,15 +56,17 @@ post-patch: @${REINPLACE_CMD} -e 's|exec perl|exec ${LOCALBASE}/bin/perl|' \ ${WRKSRC}/share/h2o/annotate-backtrace-symbols \ + ${WRKSRC}/share/h2o/fastcgi-cgi \ ${WRKSRC}/share/h2o/fetch-ocsp-response \ ${WRKSRC}/share/h2o/kill-on-close \ + ${WRKSRC}/share/h2o/setuidgid \ ${WRKSRC}/share/h2o/start_server post-install: ${MKDIR} ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${H2O_LOGDIR} ${INSTALL_DATA} \ - ${FILESDIR}/${PORTNAME}.conf.sample \ + ${WRKDIR}/${PORTNAME}.conf.sample \ ${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample post-install-DOCS-on: Index: www/h2o/distinfo =================================================================== --- www/h2o/distinfo +++ www/h2o/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1508527966 -SHA256 (h2o-h2o-v2.2.3_GH0.tar.gz) = d40401ca714d00ca5204e8d22148dbaa9cae3407e3b4b6b62bd208543901ea51 -SIZE (h2o-h2o-v2.2.3_GH0.tar.gz) = 16207150 +TIMESTAMP = 1513347798 +SHA256 (h2o-h2o-v2.2.4_GH0.tar.gz) = ebacf3b15f40958c950e18e79ad5a647f61e989c6dbfdeea858ce943ef5e3cd8 +SIZE (h2o-h2o-v2.2.4_GH0.tar.gz) = 16212596 Index: www/h2o/files/h2o.conf.sample =================================================================== --- www/h2o/files/h2o.conf.sample +++ /dev/null @@ -1,32 +0,0 @@ -# vi: ft=yaml -# see https://h2o.examp1e.net/ for detailed documentation -# see h2o --help for command-line options and settings -user: www -pid-file: /var/run/h2o.pid -access-log: /var/log/h2o/h2o-access.log -error-log: /var/log/h2o/h2o-error.log -listen: 80 -listen: - port: 443 - ssl: - minimum-version: TLSv1.2 - # generate your own certificates - certificate-file: /usr/local/etc/h2o/server.crt - key-file: /usr/local/etc/h2o/server.key -# enable Apache-style directory listings -# file.dirlisting: on -# per-host configuration -hosts: - my.example.org: - paths: - "/": - file.dir: "/usr/local/www/data/my.example.org" - pkg.example.org: - # virtual directory layout - paths: - "/poudriere": - file.dir: "/usr/local/poudriere/data/logs/bulk" - "/FreeBSD:10:amd64": - file.dir: "/usr/local/poudriere/data/packages/10_2_amd64-default/" - "/FreeBSD:11:amd64": - file.dir: "/usr/local/poudriere/data/packages/current_amd64-default/" Index: www/h2o/files/h2o.conf.sample.in =================================================================== --- /dev/null +++ www/h2o/files/h2o.conf.sample.in @@ -0,0 +1,104 @@ +# this sample config gives you a feel for how h2o can be used +# and a high-security configuration for TLS and HTTP headers +# see https://h2o.examp1e.net/ for detailed documentation +# and h2o --help for command-line options and settings +user: www +pid-file: /var/run/h2o.pid +# log normal access to file +access-log: /var/log/h2o/access.log +# send errors to syslog +error-log: "| logger -i -p daemon.err -t h2o" + +# as of 2017-12-01 the following TLS config and headers, with +# DNS CAA records and custom diffie-hellmann parameters via +# `openssl dhparam -out %%PREFIX%%/etc/ssl/dhparam.pem 4096` +# will get you: + +# A+ on https://www.ssllabs.com/ssltest/ +listen: 80 +listen: + port: 443 + ssl: + # using at least TLS1.2 restricts many older devices + minimum-version: TLSv1.1 + dh-file: %%PREFIX%%/etc/ssl/dhparam.pem + # generate your own certificates with security/acme-client + certificate-file: %%PREFIX%%/etc/ssl/acme/example.org/fullchain.pem + key-file: %%PREFIX%%/etc/ssl/acme/private/example.org/privkey.pem + cipher-preference: server + cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + +# A+ on https://securityheaders.io/ +header.add: "x-frame-options: deny" +header.add: "X-XSS-Protection: 1; mode=block" +header.add: "X-Content-Type-Options: nosniff" +header.add: "X-UA-Compatible: IE=Edge" +header.add: "Referrer-Policy: strict-origin" +header.add: "Cache-Control: no-transform" +header.add: "Content-Security-Policy: default-src https:" +# 6 months HSTS pinning +header.add: "Strict-Transport-Security: max-age=16000000" + +# no patience for slow users +http1-request-timeout: 10 +http2-idle-timeout: 10 +# limit POST bodies +limit-request-body: 10485760 # 10MiB +max-connections: 1024 + +file.mime.addtypes: + image/svg+xml: .svg + text/plain: .log + text/css: .css + application/atom+xml: .xml + application/zip: .zip + application/json: .json + "text/html; charset=utf-8": .html + +# per-host configurations +hosts: + # a basic fileserver + www.example.org: + # enable Apache-style directory listings + file.dirlisting: on + file.send-gzip: on + paths: + "/": + file.dir: "/var/www/www.example.org" + # a simple permanent URL redirect + "/blog": + redirect: + status: 301 + url: https://blog.example.org/ + # a password-restricted url + "/server-status": + mruby.handler: | + require "htpasswd.rb" + Htpasswd.new("%%ETCDIR%%/private/htpasswd", "example.org") + status: ON + # redireect Lets Encrypt ACME protocol to a specific challenge directory + "/.well-known/acme-challenge": + file.dir: "/var/www/acme" + # virtual directory layout to support serving FreeBSD packages built by poudriere + pkg.example.org: + paths: + "/poudriere": + file.dir: "%%PREFIX%%/poudriere/data/logs/bulk" + "/FreeBSD:10:amd64": + file.dir: "%%PREFIX%%/poudriere/data/packages/10_amd64-default/" + "/FreeBSD:11:amd64": + file.dir: "%%PREFIX%%/poudriere/data/packages/11_amd64-default/" + # a simple ruby-powered embedded JSON API + api.example.net: + paths: + "/ok.json": + mruby.handler: | + Proc.new do |env| + [200, {'content-type' => 'application/json'}, ['{"status":"ok"}']] + end + # a websockets-aware reverse proxy + ws.example.net: + paths: + "/": + proxy.websocket: ON + proxy.reverse.url: "http://localhost:1080/" Index: www/h2o/pkg-descr =================================================================== --- www/h2o/pkg-descr +++ www/h2o/pkg-descr @@ -1,16 +1,16 @@ H2O is a very fast HTTP server written in C. It can also be used as a library. + It supports: - HTTP/1.0, HTTP/1.1 -- [HTTP/2](http://http2.github.io/) -- draft 16 (and draft 14 to support older clients) +- HTTP/2 - persistent connections - chunked encoding - negotiation methods: NPN, ALPN, Upgrade, direct - dependency and weight-based prioritization - server push - TLS up to 1.3 -- uses [OpenSSL](https://www.openssl.org/) +- support OpenSSL and LibreSSL - forward secrecy - AEAD ciphers - OCSP stapling (automatically enabled) @@ -18,6 +18,7 @@ - conditional GET using last-modified / etag - mime-type configuration - reverse proxy -- persistent upstream connection +- websocket support +- embedded mruby interpreter for high speed custom functions WWW: https://github.com/h2o/h2o